Client Firewall active location detection failing

Hello Paul,

my firewall clients are always showing that the active location is the Primary location [...] I have made various tests to confirm that the DNS resolution is not the cause.

How did you check? I'm asking 'cause I don't have any issues. That is - I used to think so. Just noticed some problem and I'll perhaps engage support (but it's not a general problem and about detecting the primary location). Whenever an adapter is "activated" a corresponding entry should be found in in the firewall log (System Log): Detected location as ....  (often first as secondary and after a few seconds as primary). Of course the SCF settings should be verified on the client (I'm quite sure you did but after all those years in IT I'd rather ask a second time you sure the power cord is plugged in? than not asking at all). Oh - and they don't have a VPN connection or something like it?

Re-checked that a hosts or lmhosts entry doesn't affect detection.

In case the community is as clueless as I - there's always Sophos Support.

[Edit:] Searching the knowledgebase for firewall and configuration gives quite a number of hits. If a version is mentioned it's 1.5 but not 2.0.1. Both User manuals and Release notes are about 1.5. Only the ESC9/SEC4 manuals contain information about the current version. And the SEC4.0 manual says: For a full list of the default firewall settings, see Sophos support knowledgebase article 57756 (http://www.sophos.com/support/knowledgebase/article/57756.html) - it doesn't seem to exist.

Christian

Hello Christian, thanks for your reply,

As you suggested, I have already checked various logs, etc., but there seems to be no way of reconciling the selection of the Primary location with what I see on the client systems.

NSLOOKUP always responds that the FQDN and even just the host name cannot be located when we are out of the office, so that rules out any DNS, Hosts or LMHosts issues. If I ping away directly at the IP address of the IP Address which we are saying must resolve to verify that the active location is the active location, we get no response. I have also tried using a different host and IP pair just in case it was something to do with the servers relationship with the Sophos client that was the issue (it is the Enterprise Manager host). This also made no difference.

Calling Tech Support is possible, but would probably be a last resort as would have to check the client systems outside of regular office hours and at home on a broadband connection.

I was hoping someone would say that I had simply forgotten a ticky-box or something or had come across some documentation that I had not yet located.

Paul

Hello Paul,

I was hoping someone would say that I had simply forgotten a ticky-box or something

If - then it's obviously not obvious.

{enter debug mode}

All of your SCF clients fail to detect the secondary location? BTW: no connectivity at all should give secondary location (but detection is not triggered when you simply unplug the cable, it's best to boot without (LAN-)connectivity).

Tried different things and eventually managed to keep the primary location although I disconnected the cable. Had an active wireless connection although to a network segment which has no access to the DNS giving the configured response. But detection was not triggered to the rules for primary stayed. And while the setting "survived" hibernation I  think that a disconnect/reconnect due to signal loss (which for lack of a Faraday cage I could not simulate) would have triggered detection.

So - the client might continue using the profile for the primary connection if a second connection is already active (that's why one should use block bridged ) when the LAN connection is dropped, this should be corrected. But next time detection is triggered the result should be correct.

Christian

Hello Christian,

Thanks for your continued interest in my issue.

I have one of the offending laptops in front of me. I am out of the office, and so have no DNS that will resolve the host that we are using as the trigger system.

If I log on to the laptop, without any network cable plugged in and without a valid wireless connection, and start Endpoint  Security and Control  the status says that the firewall is enabled and the active location is the primary location. If I issue an IPCONFIG command on that system I am told that both my network adapters (wired/wireless) are disconnected. If I try to resolve the hostname of our system in NSLOOKUP all I get is a time out.

The Firewall log shows two entries seperated by a few seconds:

17:52:40 Firewall successfully configured (primary location).

17:52:42 Detected location as secondary.

This would seem to suggest that the Endpoint console is simply displaying the firewall configuration information incorrectly and that the firewall is working correctly, but in reality because I have no network access, that status is irrelevant.

I then plug a cable between my broadband router and the laptop. IPCONFIG shows that I now have an IP address, and I am able to surf the internet. When I attempt to resolve the FQDN of the server name in NSLOOKUP I do not get a result, I get non-existant domain. I also cannot get a result when I ping the IP address of the server directly. This should mean that I am still in the secondary location.

However the firewall log shows the following entry.

18:00:28 Detected location as primary.

I think this is wrong as I am still unable to resolve the name of my server, and I am also unable to reach that server.

If I unplug the cable from the laptop I would expect the Firewall to revert back to the condition it was in prior to my inserting the cable, but it doesn't. Again, I think this is wrong.

I have waited 10 minutes to see if the status changes back, but it seems as though it's not going to.

I'll leave it and check it later and report back.

Hello Christian,

To continue on my earlier post, I waited for an hour to see if the firewall location changed. It didn't.

So to recap, it seems that at boot the firewall defaulted into primary location mode. Within a few seconds it realised that it could not connect to anything at all, including the host I have specified as the device which should be resolved to indicate the laptop was on the primary location. At this point it changed to secondary location.

While this is not quite as I would expect, I can understand the reasoning.

When I insert a network cable, even though the host is neither available, or can be resolved, the firewall returns to primary mode. That just sounds plain wrong.

Unplugging the cable, which should make the system fall back to the same state it was in after boot, does not change the  selected location. Again, that just sounds wrong.

I should have explained that we are trialling the Sophos firewall with a view to rolling it out to all clients in a few weeks. At the moment we have tried five or six different notebooks and they all demonstrate this behaviour. We have tinkered with numerous settings in an effort to affect this behaviour, so many I can no longer list them accurately, but nothing seems to affect this location detection behaviour.

Hello Paul,

trying to make a few things a little bit clearer:

At boot time it's always a race condition. Certain activity must be permitted that the client can connect to the network at all. Only when the connection is available certain decisions can be made. Until then it does not really matter which settings are used. Keep in mind that primary goal is to detect the primary location (bad pun), that is as the Configure popup says: If any of ... via/on any of the network adapters. To be manageable a firewall can't go into block-all mode. Some firewalls have a panic button to cut all traffic but while this is ok for a personal firewall it's not suitable for a centrally managed environment. And therefore the primary (and less restrictive) location is given precedence (but this doesn't explain all your findings).

Detection will be re-triggered when an(other) adapter connects (but not when it disconnects). The idea is that you use cable and  block bridging when in your primary network. Disconnecting the cable "frees" the other adapters as as one of them might connect the secondary location is then detected. If a second connection is already active when you disconnect the cable the location stays primary even though you are now perhaps outside your network. I agree that this is not desirable - although it doesn' t matter if you disconnect the only adapter (as there can't be any traffic which needs to be controlled) - because the connection to your network could be WLAN and you can't use block bridging in this case and nowadays it's not uncommon to have multiple wireless adapters.

Detection using DNS means that a (at least one of several) FQDN(s) resolves to the corresponding configured address. It does not require that this address can be reached or that a device with this address exists.

I wouldn't trust NSLOOKUP as it's unreliable when multiple adapters are active. You have to check which nameserver it queries. I've connected to our "guest" WLAN (secondary detected), checked that NSLOOKUP didn't resolve the name used for location detection and connected the cable. SCF immediately select primary. NSLOOKUP - using the nameserver from the first connection - still returned non-existent domain.  As Window's network stacks are - to put it mildly - a tangle it's no surprise that you don't always get the expected results.

The question remains, why Sophos thinks it gets a valid response when you connect the cable. Using wireshark I can see the request and subsequent response. And - wireshark will also show you all available interfaces including virtual adapters and their status.

Christian

Hi Christian,

I agree, there are some curious things going on here, and I will investigate with wireshark on the same laptop when I can get away from the office again.

However, if this is simply the way that SCF works, I will never be able to achieve what I am looking for as the location will never be correctly identified. What I want is a relaxed configuration as long as the laptop is on the primary site (that is can resolve the address of my Enterprise Management Server), but a more agressive configuration when the laptop is off-network.

In the tests I made yesterday, the laptop could not see the client, nor could it resolve it's address. So there is no reason for the SCF to switch to the primary location just because I applied a network cable.

If I can't resolve it over the weekend, I will have to pass it on to Sophos Tech. Support.

Thanks for all your help so far.